Volunteering falls short on threat information sharing

Critical infrastructure security apparently has its own version of Don't Ask, Don't Tell, despite calls in the public and private sector for better information sharing.

And this one goes both ways. The private sector is not telling the government about its vulnerabilities, and government is also keeping threat and vulnerability information from the private sector.

Reuters reported last week that two scheduled presentations at the 12th ICS Cyber Security Conference about a nuclear power plant's possible vulnerabilities to cyberattacks were cut at the last minute, after an equipment supplier to the plant threatened to sue.

The unnamed vendor reportedly said the presentations would have revealed too much about its equipment, even though the plant's officials had approved the presentation.

The threatened suit was not an isolated instance. Those at the conference were also told that "a security firm that had uncovered the thousands of pieces of control equipment exposed to online attacks did not tell U.S. authorities where they were installed because it feared being sued by the equipment owners," Reuters reported.

On the public-sector side, conference attendees heard that the government has kept secret for five years a technique it discovered for attacking electricity generation equipment. That, the report said, meant that potential targets "had not realized they were vulnerable and therefore did not buy hardware needed to protect themselves."

As has been reported numerous times, information sharing between the private and public sector -- especially regarding the control systems of critical infrastructure -- was one of the things Congress had hoped to address with cybersecurity legislation. After the latest of those bills, the 2012 Cyber Security Act (CSA), failed to come to a vote in the Senate in August, President Obama has been signaling for months that he would seek to implement some of the same things by executive order.

A couple of drafts of that order have leaked, but it is expected to be issued only if the president wins a second term in today's election.

The Federal Times said the order "would direct agencies to share cyber threat information with companies operating critical infrastructure," but would only askprivate firms to share information with the government, although that request would come with some incentives.

While both political parties blame the other for the failure of legislation, both also say they agree on the need for information sharing. But at the present, it seems those in the private and public sector directly involved in infrastructure security don't think it's a good enough idea to actually do it.

[INDUSTRY VIEW: 4 factors for avoiding cyber espionage attacks]

The reasons, say experts, are both legal and economic. Marc Zwillinger, an attorney with the Washington, D.C. law firm ZwillGen, said: "Providing information to the government that causes a third party to lose significant business always creates liability risks. There's a possibility that either you are wrong, or that someone else will make it extremely expensive to prove that you are right, which may be crippling and distracting."

"Of course, providing information that causes your own company to lose business could also be perceived as potential career-ending risk for the individuals involved," he said.

Rebecca Herold, CEO of The Privacy Professor, notes that, as has been widely reported, many control systems are old, and were not designed with security or even Internet connectivity in mind.

"When the utilities are thinking about the release of the equipment vulnerabilities, they are probably first thinking, 'How can we monitor all these locations once the vulnerabilities are reported to the public?' That is probably one of their key concerns," she said.

Kevin McAleavey, cofounder and chief architect of the KNOS Project, said he believes "the bad guys" are already aware of vulnerabilities in control systems. "[But] if the customers found out about the vulnerabilities, the manufacturer would have to fix their products or replace them and that would give the customer the opportunity to buy from another vendor with a possibly more secure product if the vendor hasn't redesigned the existing product," he said. "So there's your motive."

Would either legislation or an executive order fix that problem?

Kevin McAleavey believes so. "When it comes to critical infrastructure that is life-critical, information must be shared, and vendors who refuse to mitigate their security issues need to be exposed," he said. "Sadly it will probably require legislative or executive action to make this so."

Marc Zwillinger said the protection of proprietary information is a legitimate concern, "but there are also ways to make relevant disclosures that minimize the privacy risk. It's not clear if legislation or an EO would solve the information-sharing problem," he said, "but it isn't going to solve itself."

"It would likely be effective to have government groups such as NIST (National Institute of Standards and Technology), NAESB (North American Energy Standards Board) and the SGIP (Smart Grid Interoperability Panel) work with all the entities involved to establish standards for identifying such vulnerabilities, as well as threats, and then create standards and procedures for rolling out fixes for them," Herold said.

"An associated law or regulation could then require the involved entities to follow the established standards and procedures, as appropriate for their risks," she said.

Read more about critical infrastructure in CSOonline's Critical Infrastructure section.

Join the CSO newsletter!

Error: Please check your email address.

Tags information sharingReuterssecurityphysical securityICS2012 Cyber Security Actcritical infrastructurePhysical Security | Critical InfrastructureICS Cyber Security Conference

More about CSAReuters AustraliaSmartTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place